Windows vulnerability Archives

Winsage

March 26, 2025

New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials

A critical vulnerability affecting various Windows operating systems, including Windows 7, Server 2008 R2, Windows 11 v24H2, and Server 2025, allows attackers to capture NTLM authentication credentials through interactions with malicious files in Windows Explorer. Exploitation can occur when users open shared folders, insert USB drives with malicious files, or view downloaded files. The vulnerability is similar to a previously patched flaw (CVE-2025-21377) but has not been fully documented. Security researchers have developed micropatches available for free until Microsoft releases a permanent fix. These micropatches support a wide range of Windows versions, including legacy and currently supported systems. The micropatches have been automatically distributed to affected systems with the 0patch Agent installed.

Winsage

March 26, 2025

0patch releases yet another free fix for yet another 0day vulnerability in Windows that Microsoft has not addressed

0patch has released micropatches for a critical SCF File NTLM hash disclosure vulnerability affecting all Windows versions from Windows 7 to Windows 11 and Windows Server editions from 2008 to 2025. This vulnerability allows attackers to obtain users' NTLM credentials by having them view a malicious file in Windows Explorer. 0patch operates on a subscription model and provides security fixes for unsupported Windows versions, as well as complimentary patches for unaddressed vulnerabilities. Specific details about the vulnerability are currently withheld, pending an official fix from Microsoft.

Winsage

March 18, 2025

New Windows zero-day exploited by 11 state hacking groups since 2017

At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a Windows vulnerability tracked as ZDI-CAN-25373 since 2017 for data theft and cyber espionage. Microsoft has classified this vulnerability as "not meeting the bar for servicing," meaning no security updates will be released. The flaw allows attackers to execute arbitrary code on affected Windows systems by concealing malicious command-line arguments within .LNK shortcut files, using padded whitespaces to evade detection. Nearly 70% of the analyzed attacks linked to this vulnerability were related to espionage, while 20% aimed for financial gain. Various malware payloads, including Ursnif, Gh0st RAT, and Trickbot, have been associated with these attacks. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file. Microsoft has not assigned a CVE-ID to this vulnerability but is tracking it internally as ZDI-CAN-25373. A Microsoft spokesperson mentioned that the company is considering addressing the flaw in the future.

Winsage

February 14, 2025

Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is being actively exploited by the Chinese APT group Mustang Panda. This low-severity vulnerability affects how Windows processes files from compressed RAR archives, making extracted files invisible in the Windows Explorer GUI while still accessible via command-line tools. Mustang Panda uses this vulnerability to hide malicious files within archives, facilitating stealthy attacks through phishing campaigns. Despite its exploitation, Microsoft has rated the vulnerability as low-severity, which may indicate limited potential damage. Cybersecurity experts warn that such vulnerabilities can have significant implications when used in larger attack strategies.

Winsage

February 5, 2025

Microsoft addresses Windows vulnerability with PowerShell script

Microsoft has introduced a PowerShell script, KB5053484, to address the 2023 BlackLotus Secure Boot vulnerability (CVE-2023-24932) in Windows operating systems. This update targets Windows-bootable media and aligns with the new Secure Boot Certificate Authority (CA) released in February 2024, replacing the outdated CA from 2011. The BlackLotus vulnerability allows attackers to bypass Secure Boot in Windows 10 and 11, potentially injecting harmful code at the UEFI level. The update is available immediately to enhance security against this threat.

Winsage

December 17, 2024

US government warns federal agencies to patch dangerous Windows kernel bug

The US Cybersecurity and Infrastructure Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: 1. Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability (CVE-2024-35250) - Severity score: 7.8. 2. Adobe ColdFusion improper access control vulnerability (CVE-2024-20767) - Severity score: 7.4, affecting ColdFusion versions 2023.6, 2021.12, and earlier. CISA has set a deadline of January 6, 2025, for federal agencies to address these vulnerabilities.

Winsage

December 16, 2024

Windows kernel bug now exploited in attacks to gain SYSTEM privileges

The Cybersecurity and Infrastructure Security Agency (CISA) has warned U.S. federal agencies about a critical Windows kernel vulnerability, CVE-2024-35250, which allows local attackers to elevate their privileges to SYSTEM level. This vulnerability is linked to the Microsoft Kernel Streaming Service (MSKSSRV.SYS) and was exploited during the Pwn2Own Vancouver 2024 competition. Microsoft issued a patch for this vulnerability in June 2024, but proof-of-concept exploit code appeared on GitHub four months later. CISA has also flagged a critical Adobe ColdFusion vulnerability, CVE-2024-20767, which allows unauthenticated remote attackers to access sensitive files. Over 145,000 ColdFusion servers are exposed to the Internet. Both vulnerabilities are listed in CISA's Known Exploited Vulnerabilities catalog, and federal agencies must secure their networks by January 6 under the Binding Operational Directive (BOD) 22-01.

Winsage

November 30, 2024

Windows Warning As New 0-Click Backdoor Russian Cyber Attack Confirmed

Security researchers have confirmed a cyber attack attributed to the Russian state-sponsored threat group RomCom, exploiting two zero-day vulnerabilities in Mozilla Firefox and Windows operating systems. The vulnerabilities are CVE-2024-9680, a use-after-free memory flaw in Firefox, and CVE-2024-49039, a privilege escalation flaw in Windows. The attack primarily affects users in Europe and North America and allows for the installation of a backdoor on Windows systems without user interaction. RomCom has expanded its focus to include industries such as pharmaceuticals, insurance, and legal sectors in the US and Germany. Mozilla and Microsoft have released patches to address these vulnerabilities, with Mozilla patching Firefox within a day and Microsoft addressing the Windows vulnerability in the latest Patch Tuesday updates. Experts warn that organizations must keep their software updated to mitigate ongoing risks from RomCom attackers.

Winsage

November 28, 2024

RomCom exploits Firefox and Windows zero days in the wild

ESET researchers discovered a critical vulnerability, CVE-2024-9680, in Mozilla products exploited by the Russia-aligned group RomCom. This vulnerability, with a CVSS score of 9.8, affects various versions of Firefox, Thunderbird, and the Tor Browser, allowing code execution within the browser's restricted context. When combined with another Windows vulnerability, CVE-2024-49039, attackers can execute arbitrary code in the context of the logged-in user. The exploit can be triggered simply by visiting a malicious web page, enabling the installation of RomCom's backdoor without user interaction. RomCom has been linked to the exploitation of significant zero-day vulnerabilities, including the earlier use of CVE-2023-36884 via Microsoft Word in June 2023. The newly identified vulnerability was reported to Mozilla on October 8th, 2024, and patched the following day. The vulnerability is a use-after-free bug in Firefox's animation timeline. Further investigation revealed CVE-2024-49039, a privilege escalation bug in Windows, which Microsoft patched on November 12th, 2024. RomCom has targeted various sectors in 2024, including governmental entities in Ukraine, the pharmaceutical sector in the US, and the legal sector in Germany, among others. The compromise chain begins with a fake website that redirects victims to a server hosting the exploit. ESET identified multiple command-and-control servers used by RomCom, employing deceptive naming schemes to obscure their intentions. The exploit utilizes shellcode that executes arbitrary code by manipulating animation objects in Firefox. The vulnerability was patched by Mozilla within a day of its discovery. The RomCom backdoor is capable of executing commands and downloading additional modules onto the victim's machine. Indicators of compromise include specific JavaScript files and DLLs associated with the exploit.

Winsage

November 27, 2024

Microsoft Windows Hacking Warning—450 Million Users Must Now Act

A critical vulnerability in Windows, identified as CVE-2024-49039 with a CVSS score of 8.8, allows arbitrary code execution via a web page visit. It is compounded by another vulnerability, CVE-2024-9680, which has a CVSS score of 9.8 and affects browsers like Firefox and Thunderbird, enabling a sandbox escape through the Windows Task Scheduler. Both vulnerabilities have been addressed, but users must update their systems. RomCom, a cyber threat group linked to Russia, has been exploiting these vulnerabilities to install malicious software. Microsoft has extended Windows 10 support until October 2024, urging users to upgrade for long-term security. Mozilla released a fix for the browser vulnerability within 25 hours, while Microsoft has patched the Windows flaw. Regular updates are essential to protect against evolving cyber threats.